diff options
author | John Thacker <johnthacker@gmail.com> | 2023-03-01 08:37:35 -0500 |
---|---|---|
committer | John Thacker <johnthacker@gmail.com> | 2023-03-03 01:52:31 +0000 |
commit | e1b85eacd47448aef68d0ef9ae1fe61ddefa3858 (patch) | |
tree | ba347dd25a6573f05db8183a0378a778902b3a2d /epan | |
parent | fc15fe3b4a771a0a05d7b8ea07545eb4d3690f68 (diff) |
epan: Do not try to add a bits item with negative bit length
A negative number of bits in a bit item isn't allowed. Treat it
as a very large number (i.e., as unsigned), and throw a
ReportedBoundsError. This was already happening in most cases,
but not in the edge case of a number of bits between -1 and -7
(which was being rounded up to 0 octets and passed our length checks.)
Fix #18877
Diffstat (limited to 'epan')
-rw-r--r-- | epan/proto.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/epan/proto.c b/epan/proto.c index 3487e98885..e81be43138 100644 --- a/epan/proto.c +++ b/epan/proto.c @@ -12254,6 +12254,9 @@ proto_tree_add_bits_item(proto_tree *tree, const int hfindex, tvbuff_t *tvb, PROTO_REGISTRAR_GET_NTH(hfindex, hfinfo); + if (no_of_bits < 0) { + THROW(ReportedBoundsError); + } octet_length = (no_of_bits + 7) >> 3; octet_offset = bit_offset >> 3; test_length(hfinfo, tvb, octet_offset, octet_length, encoding); @@ -12302,7 +12305,9 @@ _proto_tree_add_bits_ret_val(proto_tree *tree, const int hfindex, tvbuff_t *tvb, hf_field->abbrev, hf_field->name); } - if (no_of_bits == 0) { + if (no_of_bits < 0) { + THROW(ReportedBoundsError); + } else if (no_of_bits == 0) { REPORT_DISSECTOR_BUG("field %s passed to proto_tree_add_bits_ret_val() has a bit width of 0", hf_field->abbrev); } @@ -12674,7 +12679,9 @@ _proto_tree_add_bits_format_value(proto_tree *tree, const int hfindex, hf_field->abbrev, hf_field->name); } - if (no_of_bits == 0) { + if (no_of_bits < 0) { + THROW(ReportedBoundsError); + } else if (no_of_bits == 0) { REPORT_DISSECTOR_BUG("field %s passed to proto_tree_add_bits_format_value() has a bit width of 0", hf_field->abbrev); } |